Options for PCI-DSS on AWS - file integrity monitoring and intrusion detection
I need to deploy some file integrity monitoring and intrusion detections software on AWS instances.
I really wanted to use OSSEC, however it does not work well in an environment where servers can auto deploy and shut down based on load, because it requires server managed keys to be generated. Including the agent in the AMI will not allow monitoring as soon as it comes up because of that.
There are many options out there, and several are listed in other posts on this site, however none that I've seen so far deal with the unique problems inherent in AWS or cloud based deployments in general.
Can anyone point me at some products, preferably open source, that we might use to cover those portions of PCI DSS that require this software?
Has anyone else achieved this on AWS?
Solution 1:
I think you can still use OSSEC. A while back i found a blog that seems to indicate that you can at least automate it with puppet, which would mean you could probably create a lot of excess keys, then just assign them as needed possibly.
http://myrondavis.org/2010/12/how-to-completely-automate-ossec.html
Solution 2:
There is an option to move to PKI instead of symmetric encryption with the ossec-authd. http://dcid.me/blog/2011/01/automatically-creating-and-setting-up-the-agent-keys/
This would make additions of auto spawned agents (scale out) to the server very easy. But removal of agents upon scale-in is the hard part. https://groups.google.com/forum/#!msg/ossec-list/cpoopmzBf3Q/JZObqvgAFi4J
One idea suggested on the above link is to have a monkey to clean up dead instances from the server periodically by querying AWS. That would work because once an instance dies as a result of scale-in, it will begin to fail the OSSEC server's keep-alive signals. So the monkey could detect inactive agents then check AWS to see if the instance is terminated and remove it from the OSSEC server.